Ensure that sess_cert is not NULL before trying to use it.

Fixes CVE-2014-3470, from OpenSSL. ok deraadt@
author: jsing <jsing@openbsd.org> 2014-06-05 17:47:16 +0000
committer: jsing <jsing@openbsd.org> 2014-06-05 17:47:16 +0000
commit: 2bce330025b6044bd9ed1927f573a40b417a199b (patch)
tree: 14e48849823ccd276b518757c3f5b41b3eb6cb5b /lib/libssl/src
parent: Avoid a buffer overflow that can be triggered by sending specially crafted (diff)
download: wireguard-openbsd-2bce330025b6044bd9ed1927f573a40b417a199b.tar.xz
wireguard-openbsd-2bce330025b6044bd9ed1927f573a40b417a199b.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index 2b538f21b43..d1455cffc11 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -2156,6 +2156,14 @@ ssl3_send_client_key_exchange(SSL *s)
 			int ecdh_clnt_cert = 0;
 			int field_size = 0;
 
+			if (s->session->sess_cert == NULL) {
+				ssl3_send_alert(s, SSL3_AL_FATAL,
+				    SSL_AD_UNEXPECTED_MESSAGE);
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+				    SSL_R_UNEXPECTED_MESSAGE);
+				goto err;
+			}
+
 			/*
 			 * Did we send out the client's ECDH share for use
 			 * in premaster computation as part of client
author	jsing <jsing@openbsd.org>	2014-06-05 17:47:16 +0000
committer	jsing <jsing@openbsd.org>	2014-06-05 17:47:16 +0000
commit	2bce330025b6044bd9ed1927f573a40b417a199b (patch)
tree	14e48849823ccd276b518757c3f5b41b3eb6cb5b /lib/libssl/src
parent	Avoid a buffer overflow that can be triggered by sending specially crafted (diff)
download	wireguard-openbsd-2bce330025b6044bd9ed1927f573a40b417a199b.tar.xz wireguard-openbsd-2bce330025b6044bd9ed1927f573a40b417a199b.zip